Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities
Hi Debian Security folks-- On 03/10/2010 01:18 PM, dann frazier wrote: Debian Security Advisory DSA-2010 secur...@debian.org http://www.debian.org/security/ Dann Frazier March 10, 2010 http://www.debian.org/security/faq Package: kvm Vulnerability : privilege escalation/denial of service Problem type : local Debian-specific: no CVE Id(s) : CVE-2010-0298 CVE-2010-0306 CVE-2010-0309 CVE-2010-0419 Several local vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0298 CVE-2010-0306 Gleb Natapov discovered issues in the KVM subsystem where missing permission checks (CPL/IOPL) permit a user in a guest system to denial of service a guest (system crash) or gain escalated privileges with the guest. CVE-2010-0309 Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM subsystem that allows privileged users in a guest domain to cause a denial of service (crash) of the host system. CVE-2010-0419 Paolo Bonzini found a bug in KVM that can be used to bypass proper permission checking while loading segment selectors. This potentially allows privileged guest users to execute privileged instructions on the host system. For the stable distribution (lenny), this problem has been fixed in version 72+dfsg-5~lenny5. For the testing distribution (squeeze), and the unstable distribution (sid), these problems will be addressed within the linux-2.6 package. We recommend that you upgrade your kvm package. Upgrade instructions wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. It's not clear to me from the instructions above whether users should re-build their kvm modules package as well as installing the revised versions. Is the vulnerability fully-resolved by simply upgrading the kvm package? (i really don't know, and figure y'all are the right folks to ask). I note that there are kvm modules shipped with the default stable kernel. If more steps are needed, maybe we need additional DSA boilerplate for these kind of announcements in the future. Thanks for all the work you do to keep debian in good shape. it's very much appreciated! --dkg signature.asc Description: OpenPGP digital signature
Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities
On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote: Hi Debian Security folks-- On 03/10/2010 01:18 PM, dann frazier wrote: Debian Security Advisory DSA-2010 secur...@debian.org http://www.debian.org/security/ Dann Frazier March 10, 2010 http://www.debian.org/security/faq Package: kvm Vulnerability : privilege escalation/denial of service Problem type : local Debian-specific: no CVE Id(s) : CVE-2010-0298 CVE-2010-0306 CVE-2010-0309 CVE-2010-0419 Several local vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0298 CVE-2010-0306 Gleb Natapov discovered issues in the KVM subsystem where missing permission checks (CPL/IOPL) permit a user in a guest system to denial of service a guest (system crash) or gain escalated privileges with the guest. CVE-2010-0309 Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM subsystem that allows privileged users in a guest domain to cause a denial of service (crash) of the host system. CVE-2010-0419 Paolo Bonzini found a bug in KVM that can be used to bypass proper permission checking while loading segment selectors. This potentially allows privileged guest users to execute privileged instructions on the host system. For the stable distribution (lenny), this problem has been fixed in version 72+dfsg-5~lenny5. For the testing distribution (squeeze), and the unstable distribution (sid), these problems will be addressed within the linux-2.6 package. We recommend that you upgrade your kvm package. Upgrade instructions wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. It's not clear to me from the instructions above whether users should re-build their kvm modules package as well as installing the revised versions. Is the vulnerability fully-resolved by simply upgrading the kvm package? (i really don't know, and figure y'all are the right folks to ask). If you've never built/installed modules from the kvm-source package, this advisory does not apply to you. If you have - you will need to update your kernel-source package and rebuild/reload those modules. I note that there are kvm modules shipped with the default stable kernel. Yes, these issues are being tracked there as well (3/4 are already fixed in the latest stable update) If more steps are needed, maybe we need additional DSA boilerplate for these kind of announcements in the future. Yes, that's probably a good idea. Thanks for all the work you do to keep debian in good shape. it's very much appreciated! --dkg -- dann frazier -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100310194923.gb1...@lackof.org
Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities
On 03/10/2010 02:49 PM, dann frazier wrote: On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote: It's not clear to me from the instructions above whether users should re-build their kvm modules package as well as installing the revised versions. Is the vulnerability fully-resolved by simply upgrading the kvm package? (i really don't know, and figure y'all are the right folks to ask). If you've never built/installed modules from the kvm-source package, this advisory does not apply to you. If you have - you will need to update your kernel-source package and rebuild/reload those modules. So i have a lenny system, running 2.6.26-2-amd64. When it was running 2.6.26-1-amd64, i built and installed modules from the kvm_source. but when i upgraded to 2.6.26-2-amd64, i didn't bother to build new modules, and just went with the kvm modules shipped in the stock linux-image-2.6.26-2-amd64 package. A literal reading of your response above makes me think i need to do rebuild for that system, but if i'm actually understanding you, it sounds like i *don't* need to do a module rebuild. argh. sorry if this line of questioning is annoying or frustrating. i'm not trying to be obnoxious or pedantic, i'm trying to make sure i actually understand the issue. I note that there are kvm modules shipped with the default stable kernel. Yes, these issues are being tracked there as well (3/4 are already fixed in the latest stable update) Nice, thanks for the info. So would the 4th be fixed if i went ahead and rebuilt from the kvm_source package referenced by DSA-2010-1? Regards, --dkg signature.asc Description: OpenPGP digital signature
Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities
On Wed, Mar 10, 2010 at 04:09:48PM -0500, Daniel Kahn Gillmor wrote: On 03/10/2010 02:49 PM, dann frazier wrote: On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote: It's not clear to me from the instructions above whether users should re-build their kvm modules package as well as installing the revised versions. Is the vulnerability fully-resolved by simply upgrading the kvm package? (i really don't know, and figure y'all are the right folks to ask). If you've never built/installed modules from the kvm-source package, this advisory does not apply to you. If you have - you will need to update your kernel-source package and rebuild/reload those modules. So i have a lenny system, running 2.6.26-2-amd64. When it was running 2.6.26-1-amd64, i built and installed modules from the kvm_source. but when i upgraded to 2.6.26-2-amd64, i didn't bother to build new modules, and just went with the kvm modules shipped in the stock linux-image-2.6.26-2-amd64 package. A literal reading of your response above makes me think i need to do rebuild for that system, but if i'm actually understanding you, it sounds like i *don't* need to do a module rebuild. argh. Yeah, in that case, you do not need to rebuild. Basically, if you have kvm-modules-$(uname -r) installed, you need to upgrade/rebuild. If you don't, then you don't. sorry if this line of questioning is annoying or frustrating. i'm not trying to be obnoxious or pedantic, i'm trying to make sure i actually understand the issue. I note that there are kvm modules shipped with the default stable kernel. Yes, these issues are being tracked there as well (3/4 are already fixed in the latest stable update) Nice, thanks for the info. So would the 4th be fixed if i went ahead and rebuilt from the kvm_source package referenced by DSA-2010-1? Yes. -- dann frazier -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100310215312.gd1...@lackof.org
[Fwd: Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities]
sorry, this proposed boilerplate change was meant to go to the list, not just to dann. Thanks for all your work, folks. --dkg ---BeginMessage--- On 03/10/2010 04:53 PM, dann frazier wrote: On Wed, Mar 10, 2010 at 04:09:48PM -0500, Daniel Kahn Gillmor wrote: So would the 4th be fixed if i went ahead and rebuilt from the kvm_source package referenced by DSA-2010-1? Yes. Thank you for your prompt explanations, and for your patience, dann. I think i understand the situation now. Here is proposed boilerplate for future notices like this about kvm: Where it used to say: We recommend that you upgrade your kvm package. It could say: We recommend that you upgrade your kvm package. If your system is currently using a kvm-modules package built from previous versions of the kvm-source package, we recommend that you upgrade your kvm-source package, re-build a new kvm-modules package and install it. You should subsequently unload the old kvm modules from your kernel and reload the newly built kernel modules. The simplest way to accomplish this kernel module unload/reload is a system restart. Feel free to edit it as you see fit, of course. Regards, --dkg signature.asc Description: OpenPGP digital signature ---End Message--- signature.asc Description: OpenPGP digital signature
Re: [Fwd: Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities]
On Wed, 10 Mar 2010 17:21:45 -0500, Daniel Kahn Gillmor wrote: We recommend that you upgrade your kvm package. If your system is currently using a kvm-modules package built from previous versions of the kvm-source package, we recommend that you upgrade your kvm-source package, re-build a new kvm-modules package and install it. You should subsequently unload the old kvm modules from your kernel and reload the newly built kernel modules. The simplest way to accomplish this kernel module unload/reload is a system restart. a restart is (almost) never the answer. i think a better approach would be the following simple instructions if you have previously installed the kvm modules on your system, they need to be refreshed following an upgrade of your kvm packages. please execute the following commands as root after the new packages are installed: # m-a a-i kvm-source # modprobe kvm mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100310174410.1e99b2e5.michael.s.gilb...@gmail.com
Re: [Fwd: Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities]
On Wed, Mar 10, 2010 at 05:44:10PM -0500, Michael Gilbert wrote: On Wed, 10 Mar 2010 17:21:45 -0500, Daniel Kahn Gillmor wrote: We recommend that you upgrade your kvm package. If your system is currently using a kvm-modules package built from previous versions of the kvm-source package, we recommend that you upgrade your kvm-source package, re-build a new kvm-modules package and install it. You should subsequently unload the old kvm modules from your kernel and reload the newly built kernel modules. The simplest way to accomplish this kernel module unload/reload is a system restart. a restart is (almost) never the answer. i think a better approach would be the following simple instructions if you have previously installed the kvm modules on your system, they need to be refreshed following an upgrade of your kvm packages. please execute the following commands as root after the new packages are installed: # m-a a-i kvm-source # modprobe kvm If kvm is running, the above commands will succeed w/o error - but still leave you with a vulnerable system. You would need to shutdown all users of kvm and unload the existing module as well. -- dann frazier -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100311004114.ge1...@lackof.org
